On Mon, Jan 9, 2023 at 9:03 PM Konstantin Olchanski <olcha...@triumf.ca> wrote: > > On Mon, Jan 09, 2023 at 08:04:19PM -0500, Nico Kadel-Garcia wrote: > > > > ... you can validate the source tarballs and review any patches and the > > .spec file. > > > > no, I cannot validate and review this. I am not clever enough. Could never > figure out > even obfuscated C contest puzzles, forget about cyberwarefare malicious > exploit codes. > I looked at the stuff a few times, just for kicks. Yes, beyound my ken.
OpenBSD publishes their GPG signatures for their OpenSSH tarballs. If you can't validate the tarball... that kind of step is broadly published. If you can't find or do that, and can't read the PAM config files.... you probably shouldn't be building your own version of OpenSSH. The intermediate version of OpenSSH will still be vulnerable to any vulnerables published since that release, but it's old enough to be successfully compiled on RHEL 6 based operating systems The contemporary releas of OpenSSH is not easily compiled on SL 6, I checked.
